Title

Web content directories must not be anonymously shared. (Cat II impact)

Discussion

Anonymously shared directories are exposed to unnecessary risk. Any unnecessary exposure increases the risk that an intruder could exploit the access and compromise the web content or cause web server performance problems.

Check Content

1. Navigate to the %systemroot%\system32 directory. 2. Right click on the inetsrv directory > Select properties > Select the sharing tab. 3. If any selection other than "Do not share this folder" is selected, this is a finding. 4. Using the IIS Manager right click on the web site being reviewed > Select properties. 5. Select the Home Directory tab > Note the path to the web site’s home directory. 6. Navigate to the parent directory of the directory noted above. 7. Right click on the directory noted above > Select properties > Select the sharing tab. 8. If any selection other than "Do not share this folder" is selected, this is a finding. 9. Select the Web Sharing tab. 10. Select the website being reviewed from the drop down menu. 11. If any entries other than “/” exist under the Aliases window, this is a finding. NOTE: Administrative shares are not exempt from this requirement. NOTE: In the case of a storage area network or file storage network, where partitions on the storage device are dedicated to front end / back end web services, the additional partitions will be mapped to the correct file storage network partition in the web server configuration. This can apply to both web content and web scripts. NOTE: The presence of operating system shares on the web server is not an issue as long as the shares are not part of the web content directories. The use of shares to move content from one environment to another is permitted if the following conditions are met: they are approved by the ISSM/ISSO; the shares are restricted to only allow administrators write access; the use of the shares does not bypass the sites approval process for posting new content to the web server; and developers are only permitted read access to these directories.

Fix Text

Remove the shares from the applicable directories.

Additional Identifiers

Rule ID: SV-38048r2_rule

Vulnerability ID: V-2226

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.